Method and Apparatus for Increasing the Speed of Cryptographic Processing

ABSTRACT

Encrypting data in as cascaded block cipher system may be accomplished by applying a first encryption algorithm using a secret shared between first and second parties as a key to generate a secret inner key; applying a second encryption algorithm for a predetermined number of rounds using the secret inner key to generate a plurality of blocks of ciphertext data from a plurality of blocks of plaintext data; and repeating the applying the first encryption algorithm and the applying the second encryption algorithm steps.

RELATED APPLICATIONS

The present application is a continuation of U.S. patent applicationSer. No. 11/008,904 filed Dec. 9, 2004, entitled “METHOD AND APPARATUSFOR INCREASING THE SPEED OF CRYPTOGRAPHIC PROCESSING”, which is to issueon Apr. 10, 2012 as U.S. Pat. No. 8,155,306.

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

BACKGROUND

1. Field

The present invention relates generally to cryptography and, morespecifically, to encryption and decryption processing.

2. Description

Encryption algorithms are used to encrypt plaintext data into ciphertextdata in order to protect the content of the plaintext data fromunauthorized access. Various encryption algorithms are known in the artto perform this processing. Encryption may be implemented in hardware,or in software. When implemented in software, some encryption algorithmsmay consume significant processing resources. For example, when theplaintext data represents uncompressed high definition video content,software-based encryption may be too slow for some applications. Hence,techniques that speed up encryption processing, yet still provideadequate security, are desirable. Further, corresponding techniques tospeed up decryption processing are also desirable.

BRIEF DESCRIPTION OF THE DRAWINGS

The features and advantages of the present invention will becomeapparent from the following detailed description of the presentinvention in which:

FIG. 1 is a diagram of an encryption unit according to an embodiment ofthe present invention;

FIG. 2 is a flow diagram illustrating encryption processing according toan embodiment of the present invention;

FIG. 3 is a diagram of an encryption system according to an embodimentof the present invention;

FIG. 4 is a flow diagram illustrating encryption processing according toa further embodiment of the present invention;

FIG. 5 is a diagram of mapping of sets of words to a grid pattern for alightweight update function according to an embodiment of the presentinvention;

FIG. 6 is a flow diagram of a lightweight update function according toan embodiment of the present invention; and

FIG. 7 is a diagram of an encryption system according to a furtherembodiment of the present invention.

DETAILED DESCRIPTION

Embodiments of the present invention comprise a method and apparatus forperforming a cryptographic algorithm in a fast, but secure manner. Anembodiment of the present invention uses a strong counter modeencryption algorithm in combination with a reduced round encryptionalgorithm to achieve higher speed encryption and still maintain strongsecurity. Embodiments include a cascading block cipher system using astrong outer cipher in counter mode to produce keying material (innerkeys) and a faster, relatively weak inner cipher operating only alimited number of encryptions with each generated inner key. The innerkey may be changed often so that an adversary cannot get enoughplaintext/ciphertext pairs to break the inner cipher. Further, even ifthe adversary can compute one inner key, this fact does not help theadversary compute any other inner key. In some embodiments, a sharedsecret state may be generated from a symmetric encryption algorithm incounter mode to enhance the security of overall encryption processing.Additionally, corresponding techniques may be used for decryptionprocessing.

Reference in the specification to “one embodiment” or “an embodiment” ofthe present invention means that a particular feature, structure orcharacteristic described in connection with the embodiment is includedin at least one embodiment of the present invention. Thus, theappearances of the phrase “in one embodiment” appearing in variousplaces throughout the specification are not necessarily all referring tothe same embodiment.

FIG. 1 illustrates an encryption unit according to an embodiment of thepresent invention. Encryption unit 100 performs encryption processing totransform k blocks of plaintext data P (0 . . . k−1) 102 into ciphertextdata C (0 . . . k−1) 104. According to some embodiments, encryption unit100 uses shared secret 106 and shared secret state 108 values inperforming encryption operations as defined further below. Encryptionunit 100 may be implemented in either hardware or software. To performdecryption, a decryption unit (not shown) transforms blocks ofciphertext into plaintext using corresponding decryption operations.

FIG. 2 is a flow diagram 200 illustrating encryption processingperformed by encryption unit 100 according to an embodiment of thepresent invention. Assume there are two parties that desire to exchangedata in a protected manner. The first party and the second party performa well known key exchange procedure to define a shared secret 106 atblock 202. In one embodiment, the well known Diffie-Hellman key exchangeprocedure may be used. In one embodiment, the shared secret comprises asession key, the session key being at least a portion of the sharedsecret. The session key may be a cryptographic key used for symmetriccryptographic processes. In other embodiments, the shared secretcomprises a bit string of any length (e.g., 1024 bits, 2048 bits, etc.),and the session key may be derived from the shared secret by acomputation which uses the shared secret as an input parameter.

At block 204, an inner key counter j may be initialized. At block 206,the party desiring to encrypt plaintext data generates the j'th innerkey, where each inner key (j=0 . . . number of inner keys−1) is equal tothe symmetric encryption of counter j using the session key as the key.In one embodiment, the symmetric encryption operation comprisesapplication of the well known Advanced Encryption Standard (AES)algorithm in AES Counter (CTR) mode (as specified in the NationalInstitute of Standards and Technology (NIST) Special Publication800-38A, 2001 edition) to generate the stream of inner keys. In thetypical usage of Counter mode of AES, the encryption of counter j isused directly to encrypt a plaintext block P(i) into a ciphertext block,e.g., C(i)=P(i) XOR AES(j), where AES(j) denotes the AES encryption ofcounter j using the session key as the AES key. However, in embodimentsof the present invention, the inner keys may be used in a different andnovel way as described herein. Let InnerKey(j)=AES(j) denote the j'thinner key. At block 208, the encrypting party encrypts k blocks ofplaintext P(j*k+0), P(j*k+1), . . . , P(j*k+k−1) using the InnerKey(j)and a known selected “lightweight” encryption (LWE) algorithm to formciphertext blocks C(j*k+0), C(j*k+1), . . . , C(j*k+k−1).

In one embodiment, the encryption of block 208 is performed as follows:

For i=j*k+0, j*k+k−1, let C(i)=P(i) encrypted by InnerKey(j) using a“lightweight” encryption algorithm (LWE).

Next, at block 210, the inner key counter j may be incremented. At block212, if all blocks of plaintext data have been encrypted, the processingends. Otherwise, more blocks of plaintext data are to be encrypted, soprocessing continues with the next set of k blocks at block 206, usingthe incremented value of the counter j.

In an embodiment, the “lightweight” encryption (LWE) algorithm maycomprise a well known, standard cryptographic algorithm, but using fewerrounds so that the encryption is much faster than the standardimplementation. For example, only two or three rounds of the well knownRijndael algorithm may be used instead of ten. Alternatively, only threeor four rounds of the well known Serpent algorithm may be used insteadof 32 rounds. Despite using fewer rounds, the resulting encryptionprovides sufficient security in the context of the present invention.Details on the Rijndael and Serpent algorithms may be found inproceedings of “The First AES Candidate Conference”, NIST, Aug. 20-22,1998. In other embodiments, other numbers of rounds of either of thesealgorithms may be used, or other encryption algorithms may be used.

In this embodiment, a strong counter mode encryption algorithm (e.g.,AES) may be used in combination with a reduced round encryptionalgorithm (e.g., Rijndael or Serpent for a small number of rounds) toachieve higher speed encryption and still maintain strong security.

Pseudo-code for an embodiment of the present invention is shown in TableI.

TABLE I  © 2004 Intel Corporation Let LWE be a light weight encryptionprocess, such as a 2 round Rijndael or a 3 round Serpent, for example. i= 0 /* counts number of blocks of data */ j = 0 /* counts inner keys */Repeat until all plaintext has been encrypted: {InnerKey(j) ← jencrypted by Session Key using AES in Counter mode Repeat k times, /* kis the block size */ { C(i) ← P(i) encrypted by InnerKey(j) using LWE i← i + 1 } j ← j + 1 }

FIG. 3 is a diagram of an encryption system according to an embodimentof the present invention. In the cascaded block cipher of FIG. 3,counter value 304 may be encrypted using a shared secret, such assession key 302, and a symmetric encryption algorithm, such as AES inCounter mode 306 for example, to produce an inner key 308. The inner key308 may be used with a lightweight encryption (LWE) unit to encryptblocks of plaintext 102 into ciphertext 104. In one embodiment, the LWEunit comprises implementation of two or three rounds of the well knownRijndael algorithm. Alternatively, the LWE unit may implement three orfour rounds of the well known Serpent algorithm. Inner key 308 may bechanged frequently by modifying counter value 304 and generating a newinner key using the modified counter value and the AES algorithm inCounter mode. In one embodiment, the counter value may be incrementedfor every selected k blocks of plaintext data. By changing the inner keyfrequently, the security of the resulting ciphertext may be improved.

FIG. 4 is a flow diagram illustrating encryption processing performed byencryption unit 100 according to a further embodiment of the presentinvention. In this embodiment, an encryption algorithm such as AES incounter mode may be used as an outer cipher to provide an inner key andshared state, and a weaker, faster encryption algorithm may be used asan inner cipher to generation an encryption mask. The encryption maskmay be exclusive-or'ed with plaintext data to produce ciphertext data.

The cascaded cipher structure comprises an outer and inner cipher. Theouter cipher may be used as a key stream generator to produce keys usedfor the inner cipher. The outer cipher may also be used as a stategenerator for a shared secret state that is used by the inner cipher inthe generation of an encryption mask. The inner cipher may be used witha reduced number of rounds to increase the speed of the cipher and toreduce the amount of processing power to handle a large quantity ofdata. The inner cipher may be used to encrypt the state to produce a bitstream that is XOR'ed with plaintext data. After all of the sharedsecret state is encrypted, an update function may be applied to modifythe shared secret state. The new shared secret state may then beencrypted to extend the bit stream. This process may be repeated. Due tothe reduced strength of the inner cipher, the number of blocks for whichthe inner cipher is allowed to be used is kept small. When the blocklimit is reached, the outer cipher is reengaged to produce a new innercipher key and shared secret state.

Assume there are two parties that desire to exchange data in a protectedmanner. The first party and the second party perform a well known keyexchange procedure to define a shared secret 106 at block 600. In oneembodiment, the shared secret comprises a session key, the session keybeing a portion of the shared secret. The session key may be acryptographic key used for symmetric cryptographic processes. In otherembodiments, the shared secret comprises a bit string of any length. Theshared secret may be used to create a plurality of cryptographicparameters known as a shared secret state R 108. At block 602, eachparty creates its own copy of the shared secret state R based on theshared secret. One method for creating the cryptographic parameters ofthe shared secret state R is to apply a known cryptographic hashfunction. For each different cryptographic parameter, a name for theparameter and the shared secret may be hashed together by applying thehash function to form the cryptographic parameter. Another method forcreating the cryptographic parameters of the shared secret state R is toapply a known encryption function (such as AES, for example). For eachdifferent cryptographic parameter, a name for the parameter may beencrypted with the shared secret 106 to form the cryptographicparameter. In other embodiments, other methods may also be used. Thus,because the two parties have a shared secret 106, they can form othershared secrets 108. At block 603, an inner key counter j may beinitialized.

At block 604, the party desiring to encrypt plaintext data generates thej'th inner key, where each inner key (j=0 . . . number of inner keys−1)is equal to the symmetric encryption of counter j using the sharedsecret as the key. In one embodiment, the shared secret used comprisesthe session key. In one embodiment, the symmetric encryption operationcomprises application of the well known Advanced Encryption Standard(AES) algorithm in AES Counter (CTR) mode (as specified in the NationalInstitute of Standards and Technology (NIST) Special Publication800-38A, 2001 edition) to generate the stream of inner keys. In thetypical usage of Counter mode of AES, the encryption of key j is useddirectly to encrypt a plaintext block P(i) into a ciphertext blockC(i)=P(i) XOR key AES(j), where AES(j) denotes the AES encryption ofcounter j using the session key as the AES key. However, in embodimentsof the present invention, the inner keys may be used in a different andnovel way as described herein.

In one embodiment, let R₀, R₁, . . . , R_(k-1) denote the shared secretstate R, where k is the number of cryptographic parameters created atblock 602. At block 606, the encrypting party encrypts k blocks ofplaintext P(0), P(1), . . . , P(k−1) using the inner key generated atblock 604 and the shared secret state R to form ciphertext blocks C(0),C(1), . . . , C(k−1).

In one embodiment, the encryption of block 606 is performed as follows:

For i=0 . . . k−1, let T(i)=R(i) encrypted by the inner key (j) using a“lightweight” encryption algorithm (LWE), where T is temporary storagewithin the encryption unit, and then let C(i)=P(i) XOR T(i).

Next, at block 608, the shared secret state R may be updated in a“lightweight” manner. In one embodiment, the lightweight updating may beperformed by a two round AES cipher as the inner cipher. In anotherembodiment, the lightweight updating may be performed by a three roundSerpent cipher as the inner cipher. These resemble key expansionfunctions, and provide non-linearity, mixing of R(i) values, and providebetter performance than the LWE algorithm.

In the AES embodiment for lightweight updating (LWUD) of the sharedsecret state, the difference between the LWUD and the AES key scheduleis that the LWUD uses the last block value to provide mixing betweenR(i) values. The LWUD function used with AES as the inner cipher uses akey schedule-like process. The LWUD function operates on a single R(i)value within the state data. Each R(i) value is handled as four 32 bitvalues that are treated as described in FIPS 197 and updatedsequentially. The first 32 bit value, R_(i,0), uses an S-box lookup thatincludes input from the last word of the previous block, R_(i-1,3). Ifthe index i is zero, then the value R_(RCOUNT-1,3) (wrap around) may beused. The following sequence of operations may be used to updateR_(i,0).

-   1. If i is zero then set temp to R_(i-1,3) else set temp to    R_(RCOUNT-1,3)-   2. Apply the standard AES RotWord( ) transformation to temp; on    little-endian processors, this is equivalent to a 24 bit left    rotation of the 32 value-   3. Apply the standard AES SubBytes( ) transformation to temp to    cause each byte of temp to be replaced by its standard AES S-box    value-   4. Set R_(i,0) to temp XOR R_(i,0)

The remaining values, R_(i,1) through R_(i,3) are updated by settingthem to the XOR of themselves with the previous word in the block. Forinstance, R_(i,2) is set to R_(i,2) XOR R_(i,1). In one embodiment, anadditional row shift can be added at this point, so that row 2 iscyclically shifted one byte to the left, row 3 is cyclically shifted twobytes to the left, and row 4 is cyclically shifted three bytes to theleft. In another embodiment, the XOR of temp with R_(i,0) could occurbefore step 3 instead of after step 3.

An optimization to handle the wrap around reference to R_(i-1,3) is thefollowing. After new state data is generated, set temp toR_(RCOUNT-1,3). This handles the wrap around case the first time stateblock R₀ is updated. Additionally, whenever a block is updated, set tempto R_(i,3). This will automatically handle all cases, including the wraparound case, for all block updates until the inner key is replaced.

In the Serpent embodiment, a different LWUD function may be used. Theupdate function for use with Serpent cipher operates on sequences offour standard Serpent blocks of 128 bits each. Each set of four blocksis treated as a four-by-four grid of 32-bit little-endian words. FIG. 5illustrates the mapping of each set of 16 words to the grid pattern usedby the updated function. The words are shown in memory order. Using therecommended parameters above, the eight 128-bit Serpent blocks in thestate data are organized into two sets of grid data.

FIG. 6 illustrates the overall state update function flow for thisembodiment. The process uses a temporary four-by-four “update grid” (notshown) that is used to propagate data between the update steps.Following the diagram from left to right shows the operations performedto complete a state update with the recommended parameters. The updatefunction uses the following steps:

-   1. Copy the last grid in the state data into the update grid-   2. Apply a data rotation process to the update grid-   3. For each grid in the state, do the following-   4. Apply S-box substitution to the update grid-   5. Replace each word of the update grid with the XOR of itself with    the corresponding word in the current state grid-   6. Overwrite the contents of the current state grid with the    contents of the update grid

The rotate stage is only performed once at the beginning of the stateupdate function (Step 2 above). It causes a heavy interaction betweenall bits in the state data. It is not performed in the processing ofeach grid in the state data because part of the processing is “slow”compared to the other update operations.

Returning to FIG. 4, at block 610, the encrypting and updating of blocks606 and 608 may be repeated a selected number of times (denoted gherein) using the current InnerKey(j). A new inner key may then begenerated at block 612 and blocks 606, 608, and 610 may be repeated fork*g blocks of plaintext data P. At block 614, every selected number ofiterations f, a new shared secret state R may be created. In oneembodiment, generation of a new shared secret state comprisesapplication of the AES encryption algorithm to encrypt each parameter ofthe shared secret state using the new inner key in a “strong update”manner. In another embodiment, generation of a new shared secret state Rmay be accomplished by incrementing the counter j, and using theencryption of the next k values of the counter for the values of R₀, R₁,. . . , R_(k-1). When all blocks of plaintext data have been processedinto ciphertext data, processing ends.

In one embodiment, the parameters for k, g, and f, may be chosen suchthat f*k*g is less then or equal to 256. In an embodiment, thecomponents of shared secret state R may be encrypted using 128-bit keysas shared secrets.

An embodiment of the present invention is defined more formally below inthe pseudo-code of Table II.

Table II

 © 2004 Intel Corporation Select parameters k, g, and f Let LWE be alight weight encryption process, such as a 2 or 3 round Rijndael or a 3or 4 round Serpent, for example. Let LWUD (Lightweight Update) be afunction which takes as input the Shared Secret State, and inner key(j), and outputs a new Shared Secret State. LWUD should be fast andinvolve cryptographic scrambling operations. Let SUD (Strong Update) bea function which takes as input the Shared Secret State R and inner key(j), and outputs a new Shared Secret State. SUD should be very strongcryptographically and execute in time similar to the time of an AESencryption. An example of SUD is: Shared Secret State = R(0), R(1), ..., R(k−1) For i = 0 .. k−1, R(i) ← R(i) encrypted by InnerKey(j) usingAES. i = 0 /* i counts total blocks of data */ j = 0 /* j counts innerkeys */ Let R(0), R(1), ... , R(k−1) be the Shared Secret State Repeatuntil all Plaintext has been encrypted: {Repeat f times: /* changeshared secret state every f times */ {InnerKey(j) ← j encrypted bySession Key using AES in Counter mode Repeat g times: {For ik = 0 to k −1, {T(ik) ← R(ik) encrypted by InnerKey(j) using LWE C(i) ← P(i) XORT(ik) i ← i + 1 } Shared Secret State ← LWUD (Shared Secret State) } j ←j + 1 } Shared Secret State ← SUD (Shared Secret State) }

The efficiency of embodiments of the present invention compare favorablyto an implementation of the well known AES algorithm. If the LWEalgorithm is two rounds of the well known Rijndael algorithm or threerounds of the well known Serpent algorithm, then processing time for LWEis about ⅕ of the time of processing AES. Let us count the number of AESencryptions to encrypt f*g*k plaintext blocks. Suppose that the LWUD andSUD methods are the examples given earlier. There are f AES encryptionsto compute the f masks. There are also f key expansion operations to setup the LWE for using mask (j). Let us approximate this as about the sameamount of time as an AES encryption. There are k+1 AES encryptions tocompute for SUD. There are g*f LWE encryptions to compute the LWUD, andthere are f*g*k LWE encryptions to compute the T(ik)'s. Thus, the totalprocessing time is approximately 2f+k+1+g*f/5+f*g*k/5 AES encryptions.If we divide this by f*g*k to get the amortized amount of computationper plaintext block, we get: 2/(gk)+1/(fg)+1/(fgk)+1/(5k)+1/5. If we setf=g=k=16, then this sum is approximately 23% of an AES encryption, for aprojected speed improvement of over 4. In some embodiments, three roundsof Rijndael or four round of Serpent may be preferred, but the speedimprovement will be less.

FIG. 7 is a diagram of an encryption system according to a furtherembodiment of the present invention. In the cascaded block cipher ofFIG. 7, counter value 704 may be encrypted using a shared secret, suchas session key 702, and a symmetric encryption algorithm, such as AES inCounter mode 706 for example, to produce an inner key 708. In oneembodiment, AES may also be used to generate shared secret state 712.The inner key 708 may be used with a lightweight encryption (LWE) unit710 to generate an encryption mask T 711, which is input to XOR function714 to encrypt blocks of plaintext 102 into ciphertext 104. Lightweightupdate unit 713 may be used to update the shared secret state 712. Inone embodiment, the LWE unit comprises implementation of two rounds ofthe well known Rijndael algorithm. Alternatively, the LWE unit mayimplement three rounds of the well known Serpent algorithm.Alternatively, three rounds of Rijndael or four rounds of Serpent may beused. Inner key 708 may be changed frequently by modifying counter value704 and generating a new inner key using the modified counter value andthe AES algorithm in Counter mode. In one embodiment, the counter valuemay be incremented for every selected k blocks of plaintext data. Bychanging the inner key frequently, the security of the resultingciphertext may be improved. Periodically, shared secret state 712 may bere-generated by strong update unit 716.

Although encryption processing has been described in detail for thevarious embodiments herein, one skilled in the art will recognize thatperformance of decryption processing based on the present invention willrequire the appropriate inverse operation on ciphertext to produceplaintext data.

Although the operations disclosed herein may be described as asequential process, some of the operations may in fact be performed inparallel or concurrently. In addition, in some embodiments the order ofthe operations may be rearranged without departing from the spirit ofthe invention.

The techniques described herein are not limited to any particularhardware or software configuration; they may find applicability in anycomputing or processing environment. The techniques may be implementedin hardware, software, or a combination of the two. The techniques maybe implemented in programs executing on programmable machines such asmobile or stationary computers, personal digital assistants, set topboxes, cellular telephones and pagers, and other electronic devices,that each include a processor, a storage medium readable by theprocessor (including volatile and non-volatile memory and/or storageelements), at least one input device, and one or more output devices.Program code is applied to the data entered using the input device toperform the functions described and to generate output information. Theoutput information may be applied to one or more output devices. One ofordinary skill in the art may appreciate that the invention can bepracticed with various computer system configurations, includingmultiprocessor systems, minicomputers, mainframe computers, and thelike. The invention can also be practiced in distributed computingenvironments where tasks may be performed by remote processing devicesthat are linked through a communications network.

Each program may be implemented in a high level procedural or objectoriented programming language to communicate with a processing system.However, programs may be implemented in assembly or machine language, ifdesired. In any case, the language may be compiled or interpreted.

Program instructions may be used to cause a general-purpose orspecial-purpose processing system that is programmed with theinstructions to perform the operations described herein. Alternatively,the operations may be performed by specific hardware components thatcontain hardwired logic for performing the operations, or by anycombination of programmed computer components and custom hardwarecomponents. The methods described herein may be provided as a computerprogram product that may include a machine readable medium having storedthereon instructions that may be used to program a processing system orother electronic device to perform the methods. The term “machinereadable medium” used herein shall include any medium that is capable ofstoring or encoding a sequence of instructions for execution by themachine and that cause the machine to perform any one of the methodsdescribed herein. The term “machine readable medium” shall accordinglyinclude, but not be limited to, solid-state memories, optical andmagnetic disks, and a carrier wave that encodes a data signal.Furthermore, it is common in the art to speak of software, in one formor another (e.g., program, procedure, process, application, module,logic, and so on) as taking an action or causing a result. Suchexpressions are merely a shorthand way of stating the execution of thesoftware by a processing system cause the processor to perform an actionof produce a result.

While this invention has been described with reference to illustrativeembodiments, this description is not intended to be construed in alimiting sense. Various modifications of the illustrative embodiments,as well as other embodiments of the invention, which are apparent topersons skilled in the art to which the invention pertains are deemed tolie within the spirit and scope of the invention.

1. A method comprising: encrypting, via a processor, at least one set ofplaintext data including a plurality of plaintext data blocks stored inmemory, wherein encrypting each set of plaintext data includes applyinga first encryption algorithm in a counter mode using a secret sharedbetween first and second parties as a key to generate a secret innerkey, and applying a lightweight encryption algorithm, using the secretinner key to generate a block of ciphertext data from each of theplurality of plaintext data blocks, wherein the lightweight encryptionalgorithm is a different type of algorithm than the first encryptionalgorithm.
 2. The method of claim 1, wherein the first encryptionalgorithm comprises the Advanced Encryption Standard (AES) encryptionalgorithm, and the lightweight encryption algorithm comprises at leastone of the Rijndael algorithm and the Serpent algorithm.
 3. An articlecomprising: a non-transitory storage medium having a plurality ofmachine readable instructions, wherein when the instructions areexecuted by a processor, the instructions provide for encryption of atleast one set of plaintext data including a plurality of plaintext datablocks into ciphertext data, the instructions including, for each set ofplaintext data applying a first encryption algorithm in a counter modeusing a secret shared between first and second parties as a key togenerate a secret inner key, and applying a lightweight encryptionalgorithm, using the secret inner key to generate a block of ciphertextdata from each of the plurality of plaintext data blocks, wherein thelightweight encryption algorithm is a different type of algorithm thanthe first encryption algorithm.
 4. The article of claim 3, wherein thefirst encryption algorithm comprises the Advanced Encryption Standard(AES) encryption algorithm and the lightweight encryption algorithmcomprises at least one of the Rijndael algorithm and the Serpentalgorithm.
 5. The article of claim 3, wherein the first encryptionalgorithm comprises the Rijndael algorithm and the lightweightencryption algorithm comprises the Serpent algorithm.
 6. A cascadingblock cipher system comprising: a processor; a memory to store at leastone set of plaintext data, each set of plaintext data including aplurality of blocks of plaintext data; a first encryption unit, executedvia the processor, operating in a counter mode using a secret sharedbetween first and second parties as a key to generate a secret inner keyfor each set of plaintext data; and a lightweight encryption unit,executed via the processor, operating using the secret inner key togenerate blocks of ciphertext data from the blocks of plaintext data,the lightweight encryption unit to implement a different type ofalgorithm than the algorithm to be implemented by the first encryptionunit.
 7. The cascading block cipher system of claim 6, wherein the firstencryption algorithm implements the Advanced Encryption Standard (AES)encryption algorithm and the lightweight encryption unit implements atleast one of the Rijndael algorithm and the Serpent algorithm.